Information Security & Risk Management
Transcript of Information Security & Risk Management
1
CHAPTER 1
Information Security and Risk Management
Agenda
Fundamentals of Security Types of Attacks Risk Management Security Blueprints Policies, Standards, Procedures, Guidelines Roles and Responsibilities SLAs Data Classification Certification Accreditation and Auditing Knowledge Transfer
2
Well Known Exploits
3
The Role of Information Security Within an Organization
First priority is to support the mission of the organization
Requires judgment based on risk tolerance of organization, cost and benefit
Role of the security professional is that of a risk advisor, not a decision maker.
4
Planning Horizon
Strategic Goals
Over-arching - supported by tactical goals and operational
Tactical Goals
Mid-Term - lay the necessary foundation to accomplish Strategic Goals
Operational Goals
Day-to-day - focus on productivity and task-oriented activities
5
Security Fundamentals
C-I-A Triad
Confidentiality
Integrity
Availability
Confidentiality
Prevent unauthorized disclosure Social Engineering
Training, Separation of Duties, Enforce Policies and Conduct Vulnerability Assessments
Media Reuse Proper Sanitization Strategies
Eavesdropping Encrypt Keep sensitive information off the network
Integrity
Detect modification of information Corruption Intentional or Malicious Modification
Message Digest (Hash) MAC Digital Signatures
Availability
Provide Timely and reliable access to resources Redundancy, redundancy, redundancy Prevent single point of failure Comprehensive fault tolerance (Data, Hard
Drives, Servers, Network Links, etc)
Best Practices (to protect C-I-A)
Separation of Duties (SOD) Mandatory Vacations Job rotation Least privilege Need to know Dual control
10
Defense in Depth
Also Known as layered Defense No One Device will PREVENT an attacker Three main types of controls:
Technical (Logical) Administrative Physical
Risk
Every decision starts with looking at risk Determine the value of your assets Look to identify the potential for loss Find cost effective solution reduce risk to an
acceptable level (rarely can we eliminate risk) Safeguards are proactive Countermeasures are reactive
Risk Definitions
Asset: Anything of Value to the company Vulnerability: A weakness; the absence of a safeguard Threat: Something that could pose loss to all or part of
an asset Threat Agent: What carries out the attack Exploit: An instance of compromise Risk: The probability of a threat materializing Controls: Physical, Administrative, and Technical
Protections Safeguards Countermeasure
Sources of Risk
Weak or non-existing anti-virus software Disgruntled employees Poor physical security Weak access control No change management No formal process for hardening systems Lack of redundancy Poorly trained users
Risk Management
Processes of identifying, analyzing, assessing, mitigating, or transferring risk. It’s main goal is the reduction of probability or impact of a risk.
Summary topic that includes all risk-related actions
Includes Assessment, Analysis, Mitigation, and Ongoing Risk Monitoring
15
Risk Management
Risk Management• Risk Assessment
• Identify and Valuate Assets• Identify Threats and Vulnerabilities
• Risk Analysis• Qualitative• Quantitative
• Risk Mitigation/Response• Reduce /Avoid• Transfer• Accept /Reject
• Ongoing Risk Monitoring
16
Risk Assessment
Looks at risks for a specific period in time and must be reassessed periodically
Risk Management is an ongoing process The following steps are part of a Risk Assessment per
NIST 800-30 System Characterization Threat Identification Vulnerability Identification Control Analysis Likelihood Determination Impact analysis Risk determination Control Recommendation Results Documentation
Risk Analysis
Determining a value for a risk Qualitative vs. Quantitative Risk Value is Probability * Impact Probability: How likely is the threat to
materialize? Impact: How much damage will there be if it
does? Could also be referred to as likelihood and
severity.
Risk Analysis
Qualitative Analysis (subjective, judgment-based) Probability and Impact Matrix
Quantitative Analysis (objective, numbers driven AV (Asset Value) EF (Exposure Factor) ARO (Annual Rate of Occurrence) SLE (Single Loss Expectancy)=AV * EF ALE (Annual Loss Expectancy) SLE*ARO Cost of control should be the same or less than the
potential for loss
Qualitative Analysis
Subjective in Nature Uses words like “high”
“medium” “low” to describe likelihood and severity (or probability and impact) of a threat exposing a vulnerability
Delphi technique is often used to solicit objective opinions
20
Quantitative Analysis
More experience required than with Qualitative Involves calculations to determine a dollar value
associated with each risk event Business Decisions are made on this type of
analysis Goal is to the dollar value of a risk and use that
amount to determine what the best control is for a particular asset
Necessary for a cost/benefit analysis
21
Mitigating Risk
Three Acceptable Risk Responses: Reduce Transfer Accept
Secondary Risks Residual Risks Continue to monitor for risks How we decide to mitigate business risks
becomes the basis for Security Governance and Policy
Security Governance
The IT Governance Institute in its Board Briefing on IT Governance, 2nd Edition, defines Security governance as follows:
“Security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly.”
23
Security Blueprints
For achieving “Security Governance”
BS 7799, ISO 17799, and 27000 Series COBIT and COSO OCTAVE ITIL
24
COBIT and COSO
COBIT (Control Objectives for Information and related Technology.
COSO (Committee of Sponsoring Organizations)
25
ITIL
Information Technology Infrastructure Library (ITIL) is the de facto standard for best practices for IT service managmenet
5 Service Management Publications: Strategy Design Transition Operation Continual Improvement
**While the Publications of ITIL are not testable, it's purpose and comprehensive approach are testable. It provides best practices for organization and the means in which to implement those practices
26
OCTAVE
Operationally Critical Threat, Asset and Vulnerability Evaluation Self Directed risk evaluation developed by Carnegie Mellon.
People within an organization are the ones who direct the risk analysis
A suite of tools, techniques, and methods for risk-based information security strategic assessment and planning.
1. Identify Assets2. Identify Vulnerabilities3. Risk Analysis and Mitigation
27
BS 7799, ISO 17799, 27000 Series
BS 7799-1, BS 7799-2 Absorbed by ISO 17799 Renamed ISO 27002 to fit into the ISO
numbering standard
28
ISO 27000 Series
ISO 27001: Establishment, Implementation, Control and improvement of the ISMS. Follows the PDCA (Plan, Do, Check, Act)
ISO 27002: Replaced ISO 17799. Provides practical advice for how to implement security controls. Uses 10 domains to address ISMS.
ISO 27004: Provides Metrics for measuring the success of ISMS
ISO 27005: A standards based approach to risk management ISO 27799: Directives on protecting personal health
information
29
The Plan Do Check Act (PDCA) Model
* Deming – TQM (basis for 6
Sigma)
* ISO 9001: 2008
* Best Practice for ISM Governance
PLANEstablish
ISMS
ACTMaintain and Improve ISMS
CHECKMonitor and Review ISMS
Check
DOImplement
and Operate ISMS
INTERESTEDPARTIES
InformationSecurityRequirementsAndExpectations
INTERESTEDPARTIES
ManagedInformationSecurity
30
Approach to Security Management
Top-Down Approach
Security practices are directed and supported at the senior management
level
Bottom-Up Approach
The IT department tries to implement security
31
Senior Management
Staff
Middle Management
Senior Management
Staff
Middle Management
Information Security Management Program Senior management's Involvement Governance Policies/Standards/Procedures/Guidelines Roles and Responsibilities SLA's Service Level Agreements/Outsourcing Data Classification/Securitiy C&A (Certification and Accreditation Auditing
32
Senior Management Role
CEO, CSO, CIO, etc Ultimately responsible for Security within an
organization Development and Support of Policies Allocation of Resources Decisions based on Risk Prioritization of business processes
33
Liabilities Legal liability is an important consideration for risk assessment and
analysis.
Addresses whether or not a company is responsible for specific actions or inaction.
Who is responsible for the security within an organization? Senior management
Are we liable in the instance of a loss? Due diligence: Continuously monitoring an organizations practices to ensure
they are meeting/exceeding the security requirements. Due care: Ensuring that “best practices” are implemented and followed.
Following up Due Diligence with action. Prudent man rule: Acting responsibly and cautiously as a prudent man would Best practices: Organizations are aligned with the favored practices within an
industry
34
Organizational Security Policy
aka Program Policy Mandatory High level statement from management Should support strategic goals of an
organization Explain any legislation or industry specific drivers Assigns responsibility Should be integrated into all business functions Enforcement and Accountability
35
Issue and System Specific Policy
Issue Specific policy, sometimes called Functional Implementation policy would include company's stance on various employee issues. AUP, Email, Privacy would all be covered under issue specific
System Specific policy is geared toward the use of network and system resources. Approved software lists, use of firewalls, IDS, Scanners,etc
36
Other Types of Policies
Regulatory Advisory Informative
37
Security Policy Document Relationships
Standards Procedures Baselines Guidelines
Functional (Issue and System Specific) Policies
Program or Organizational Policy
Laws, Regulations and Best Practices
Management’s Security Directives
38
Standards
Mandatory Created to support policy, while providing more
specifics. Reinforces policy and provides direction Can be internal or external
39
Procedures
Mandatory Step by step directives on how to accomplish an
end-result. Detail the “how-to” of meeting the policy,
standards and guidelines
40
Guidelines
Not Mandatory Suggestive in Nature Recommended actions and guides to users “Best Practices”
41
Baselines
Mandatory Minimum acceptable security configuration for a
system or process The purpose of security classification is to
determine and assign the necessary baseline configuration to protect the data
42
Personnel Security Policies (examples) Hiring Practices and Procedures Background Checks/Screening NDA's Employee Handbooks Formal Job Descriptions Accountability Termination
43
Roles and Responsibilities
Senior/Executive Management CEO: Chief Decision-Maker CFO: Responsible for budgeting and finances CIO: Ensures technology supports company's objectives ISO: Risk Analysis and Mitigation
Steering Committee: Define risks, objectives and approaches
Auditors: Evaluates business processes
Data Owner: Classifies Data
Data Custodian: Day to day maintenance of data
Network Administrator: Ensures availability of network resources
Security Administrator: Responsible for all security-related tasks, focusing on Confidentiality and Integrity
44
Responsibilities of the ISO
Responsible for providing C-I-A for all information assets.
Communication of Risks to Senior Management Recommend best practices to influence policies,
standards, procedures, guidelines Establish security measurements Ensure compliance with government and
industry regulations Maintain awareness of emerging threats
45
Auditing Role
Objective Evaluation of controls and policies to ensure that they are being implemented and are effective.
If internal auditing is in place, auditors should not report to the head of a business unit, but rather to legal or human resources--some other entity with out direct stake in result
46
Data Classification
Development of sensitivity labels for data and the assignment of those labels for the purpose of configuring baseline security based on value of data
Cost: Value of the Data Classify: Criteria for Classification Controls: Determining the baseline security
configuration for each
47
Considerations for Asset Valuation What makes up the value of an asset?
Value to the organization Loss if compromised Legislative drivers Liabilities Value to competitors Acquisition costs And many others
48
Assessment
Identify and Valuate Assets Identify Threats and Vulnerabilities Methodologies:
OCTAVE: an approach where analysts identify assets and their criticality, identify vulnerabilities and threats and base the protection strategy to reduce risk
FRAP: Facilitated Risk Analysis Process. Qualitative analysis used to determine whether or not to proceed with a quantitative analysis. If likelihood or impact is too low, the quantitative analysis if foregone.
NIST 800-30: Risk management Guide for Information Technology systems
49
Risk Analysis
Qualitative Subjective analysis to help prioritize probability and impact of
risk events. May use Delphi Technique
Quantitative: Providing a dollar value to a particular risk event. Much more sophisticated in nature, a quantitative analysis if
much more difficult and requires a special skill set Business decisions are made on a quantitative analysis Can't exist on its own. Quantitative analysis depends on
qualitative information
50
Knowledge Transfer
Awareness, Training, Education
“People are often the weakest link in securing information. Awareness of the need to protect information, training in the skills needed to operate them securely, and education in security measures and practices are of critical importance for the success of an organization’s security program.”
The Goal of Knowledge Transfer is to modify employee behavior
51
Being Aware of the Rules
Security Awareness TrainingEmployees cannot and will not follow the directives
and procedures, if they do not know about them Employees must know expectations and
ramifications, if not metEmployee recognition award programPart of due care Administrative control
52
Awareness/Training/ Education BenefitsOverriding Benefits:
Modifies employee behavior and improves attitudes towards information security
Increases ability to hold employees accountable for their actions
Raises collective security awareness level of the organization
53
Awareness/Training/ Education ImplementImplementation:
Basic security training should be required for all employees.
Advanced training may be needed for managers.Specialized training is necessary for system
administrators and information systems auditors.Specialized training is normally delivered through
external programs.Should be regarded as part of career development.
54
Information Security Governance and Risk Management Review
Fundamentals of Security Types of Attacks Risk Management Security Blueprints Policies, Standards, Procedures, Guidelines Roles and Responsibilities SLAs Data Classification Certification Accreditation and Auditing Knowledge Transfer
55